Remote exploit released for brand-new Safari for Windows

Remote exploit released for brand-new Safari for Windows

Summary: Security researcher Thor Larholm has found what might be the first remote code execution vulnerability in Apple's shiny new Safari for Windows.

SHARE:
52

Thor LarholmSecurity researcher Thor Larholm has found what might be the first remote code execution vulnerability in Apple's shiny new Safari for Windows.

Larholm (left) has released an advisory with proof-of-concept code to demo the vulnerability, which can be used to take complete control of a Windows PC if the user simply surfs to a Web page.

Click here for a demo of the flaw, which triggers a Safari crash and bounces through Firefox via the Gopher protocol.

Larholm explains:

The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.

Although the proof-of-concept exploit is launched via Firefox installed on the victim machine, Larholm makes it clear that this is a problem in Safari for Windows. In an interview over IM, he said he did not test the exploit on the Mac OS X platform.

It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.

Larholm isn't the only hacker pounding on the new browser. Within hours of the beta release, two researchers -- David Maynor and Aviv Raff -- used fuzzers to find memory corruption bugs that may be exploitable.

[UPDATE: June 12 2007 @ 9:15 AM] An addendum from David Maynor on his findings:

I'd like to note that we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its diffrent that what Thor has found. I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff).

Topics: Windows, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • No Bias there at all

    [i]"Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser."

    "A bunch of other security researchers such as David Maynor and Aviv Raff have been pounding safariWin with their fuzzing tools"[/i]

    Funny, other researches have stated that Apple has been cooperative with them.

    [i]"I will not sell this one to ZDI or iDefense but instead release it here, as I have done lately with a number of 0day vulnerabilities."[/i]

    I am sure Apple will appreciate that. It will definitely help you have better relations with them.

    All sarcasm aside.

    I think that Apple had better do a major shift on their security. The free ride is well over.

    It is going to get harder to live up to those commercials.

    [b]New Flash to you Researchers[/b]

    Act irresponsible like Maynor and company and Apple isn't going to be your friend.
    dragosani
    • If Apple intends on playing on the Dark Side

      This is the sort of reaction they should plan on getting from here on out. Microsoft
      and Windows is still the underlying target, regardless of whether it's IE, FF, Opera or
      Safari serving as the conduit. Apple better get used to the rough housing that other
      browsers in a Windoze world is subjected to.

      Moreover, given Apple's fiscal growth and economic weight of late there are plenty
      who now lump them in as one of The Enemy anyways.
      flatliner
      • What do you mean, intends on?

        Apple has been on the dark side since the day Jobs conceived of it and went out to borrow all of the technology to make his dream come true. <br>
        We are talking about a man that orderrs threatening and filing lawsuits on Mom and Pop shops cause they have the letters "pod" in their name. You can't be serious.
        xuniL_z
      • ooops

        [i]Microsoft and Windows is still the underlying target, regardless of whether it's IE, FF, Opera or Safari serving as the conduit.[/i]

        Perhaps you didn't see the update.

        [b][i]I can?t speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for a lot of stuff).[/b][/i]
        Badgered
  • It is beta, after all

    I expect the true debugging to start now. These bugs will be fixed by final release
    time.

    Why is ZDNet and some security individuals intent on portraying Apple as
    irresponsible? Apple replies to all security concerns responsibly and gives credit
    where credit is due.
    YinToYourYang-22527499
    • Maybe you missed this

      ** but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well **

      That is not a beta mistake.
      mdemuth
      • He very well may have

        That "update" to the blog wasn't there when I posted.

        It may not have been there when he posted.

        :)
        dragosani
    • Whether it's beta or not is no excuse for issues like this...

      But, I bet "name recognition" had to be a part of the hunt.. After all. A new browser on
      the Windows O/S coming from MAC would be a good thing to have on you list of "I
      found it first"
      ju1ce
  • Rep and I love it...

    My rep and I are having a small celebration here today, complete with pizza and Coke for the MCSEs and MCSDs. I am dressing up as a "Safari hunter" complete with hunting rifle and canteen and am going to shoot paintballs at posters of Apple's Safari browser. I am then riding a little speech in honor of IE7. It starts like this: "Friends, MCSEs, countrymen, I have come here to bury Safari not to praise it". My rep and I will then go out for a refined lunch at Yarrow's.
    Mike Cox
    • Gah!

      [i]"I am dressing up as a "Safari hunter" complete with hunting rifle and canteen"[/i]

      7up burns the inside of my nose. Next time I am not taking a drink before reading.
      dragosani
      • dragosani

        You really need to get out more often, you really do.
        xuniL_z
        • Yes, I do (nt)

          nt
          dragosani
    • Dude, you are hilarious!

      If IT does not pay you well, comedy suits you well. You keep the mood light in these tug-o-wars. It's much appreciated.
      andrej770
  • Message has been deleted.

    NonZealot
    • FYI - Safari based on Konqueror

      "Safari uses Apple's WebKit for rendering web pages and running JavaScript. WebKit consists of WebCore (based on Konqueror's KHTML engine) and JavaScriptCore (based on KDE's kjs JavaScript engine)."

      -Wikipedia
      dragosani
      • Based on?

        As in: based on a true story? Like those types of movies, there is a shred of the original in it but you know as well as I do that there is a ton of Apple code in Safari. In fact, this has been a [b]huge[/b] sore spot with the KHTML crowd because Apple basically stole KHTML, started modifying it, and [b]wouldn't release the changes back to the community[/b]. Do a search on this and you will see many, many articles talking about how different WebCore and KHTML are.
        NonZealot
        • Let's not forget the ending

          I was just pointing that Safari isn't 100% Apple code.

          http://dot.kde.org/1118138374/

          Apple did give code back and the relationship between Apple and KDE +community is better.

          Only tell part of the story. It makes it much more interesting. ;)
          dragosani
    • What are you some kind of schmuck ?

      Apple did not steal BSD , if they did they would be sued . Zealot you have to be the worst that ZDNET has to offer . As for Quicktime being vulnerable , Active X holds that title forever . Safari is based on KHTML . If you are going to start a flame war , at least get your facts straight .
      Intellihence
      • Only on Fact need to be said

        Apple. Apple who accused more then once MS from copying ideas...well.. the whole Mac OS is just a pile of "Ideas" borrowed from all over the place. And now that Apple products (software and hardware) are been used more and more they get attention and ho! what a suprise they contrain tons of bugs. Apple is as bad MS when it come to software bugs. IF Mac OS is so great i dear Apple to remove the artificial lock on Mac OS and let see how well it will do in the PC jungle.
        Mectron
        • Sigh

          How long will this myth go on? Apple's genius has always been taking the bits and
          pieces and putting them together so they actually work.

          Usable UNIX? OS X.
          Usable networking: Bonjour.
          Usable MP3 player: iPod
          Usable media center: Apple TV
          Usable cell phone: iPhone.

          And the list goes on.
          frgough